Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix #2242 by upgrading express and its dependencies to newer major versions #2244

Closed
wants to merge 1 commit into from

Conversation

seratch
Copy link
Member

@seratch seratch commented Sep 11, 2024

Summary

This pull request could resolve #2242 but it's not an ideal solution for us. This change forces existing ExpressReceiever users to migrate to Express v5 immediately. To reviewers: read #2242 for context.

Even if we don't do this, migrating path-to-regexp to v8 must be done as early as possible.

Requirements (place an x in each [ ])

@seratch seratch added the dependencies Pull requests that update a dependency file label Sep 11, 2024
@seratch seratch added this to the 3.x milestone Sep 11, 2024
@seratch seratch requested a review from filmaj September 11, 2024 08:03
@@ -529,7 +529,7 @@ describe('ExpressReceiver', function () {
// Act
const req = { body: { }, url: 'http://localhost/slack/oauth_redirect', method: 'GET' } as Request;
const resp = { send: () => { } } as Response;
(receiver.router as any).handle(req, resp);
(receiver.router as any).handle(req, resp, () => {});
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the only breaking change affecting our code so far.

"express": "^4.16.4",
"path-to-regexp": "^6.2.1",
"express": "^5.0.0",
"path-to-regexp": "^8.1.0",
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just ugprading path-ot-regrexp does not resolve the npm-audit error yet. express v4.x still brings path-to-regexp v6

Copy link

codecov bot commented Sep 11, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 87.78%. Comparing base (c9adc2f) to head (4d990b1).
Report is 5 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2244      +/-   ##
==========================================
+ Coverage   81.59%   87.78%   +6.19%     
==========================================
  Files          19       19              
  Lines        1646     1646              
  Branches      464      464              
==========================================
+ Hits         1343     1445     +102     
  Misses        194      194              
+ Partials      109        7     -102     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@seratch
Copy link
Member Author

seratch commented Sep 11, 2024

The tests with Node 12 and 14 fail, but if we include this express major upgrade in a major release, we can consider dropping these EOLed runtime versions too.

@seratch seratch modified the milestones: 3.x, 4.0.0 Sep 11, 2024
@filmaj
Copy link
Contributor

filmaj commented Sep 11, 2024

Interesting, even after deleting node_modules and package-lock.json and running npm run build:clean, I can't reproduce the test failures locally using node 12 and 14. I will continue to investigate.

Perhaps doing a small, focussed bolt v4 major release that includes these changes, dropping node 12, 14 and 16, and perhaps a few other small things (like moving to socket-mode v2) is worthwhile. I will investigate the scope of the breaking changes in new express shortly.

@filmaj
Copy link
Contributor

filmaj commented Sep 11, 2024

I am able to reproduce the issue locally now - not sure why I wasn't before - but also can fix the failing tests by adding lib: ['ES2018'] to the tsconfig.json (essentially: forcing typescript to also transpile dependencies).

However, based on internal discussions, it seems like most of the team is leaning towards doing a smaller-scoped new major version release that includes express v5. Since ExpressReceiver exposes all of express' APIs, updating express within bolt means we push the breaking express changes onto users of ExpressReceiver. So I think that requires us to release a new major version of bolt in this situation.

Let's continue the discussion internally to agree on the scope for relevant changes to address the security vulnerability. In the mean time, I will work on a fork of this PR as a draft for, at least, some of the suggestions floated internally re: scope of changes.

@seratch
Copy link
Member Author

seratch commented Sep 11, 2024

@filmaj When you come up with a complete pull request for v4, please feel free to close this one!

@filmaj
Copy link
Contributor

filmaj commented Sep 11, 2024

Sounds good, thank you, will do. I have started working on a branch that forks from your work 🙇

@filmaj
Copy link
Contributor

filmaj commented Sep 13, 2024

Closing in favour of #2254 (which incorporates this PR 🙇 )

@filmaj filmaj closed this Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

package vulnerabilities with dependency "path-to-regexp" and "send"
2 participants